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"COMPUTER MEMORY PROTECTION" 
THIS INVENTION relates to computer security. 
In particular, the invention is directed to a method and 
apparatus for preventing the unauthorised writing of data 
5 to selected portions of a memory device, such as a hard 
disc of a computer. The invention is particularly useful 
for f>reventing "virus" programmes becoming resident in a 
computer memory device • 

BACKGROUND OF THE INVENTION 

^0 So-called "virus" computer programmes, or more 

simply "viruses", are unwanted programmes which are 
designed to interfere with the normal or intended 
operation of a computer. Although some viruses may only 
be mischievous in their operation, many viruses are 

15 written with malicious intent to cause serious damage, 
fox- example by destroying valuable data on a hard disc or 
otherwise rendering such data irretrievable. The damage 
caused by such computer viruses can be catastrophic. 

Any virus, regardless of its effect, is a 

20 threat to the security of a computer system. Significant 
costs and downtime are incurred in searching for, and 
eradicating, virus programmes which may have found their 
way into a computer memory, and replacing lost data and 
programmes. With the increasing prevalence and variety 

25 of virus programmes in recent years, viruses pose a 
serious threat to all computer systems;, large or small. 

Various virus detection techniques have been 
proposed. Such techniques are normally software-based. 
Typically, an anti-virus programme attempts to detect the 

30 presence of a virus in a computer memory, such as a hard 
disc, by searching for a characteristic string of binary 
digits which identifies the virus. However, such 
software techniques are not effective for all known 
viruses. Further, some virus programmes are known to 

35 *'mutate" and alter their characteristic string, thereby 
making such programmes virtually undetectable using 
conventional software techniques. 
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Another known anti-virus prdgramme seeks to 
foil the Intended operation of the virus by trapping 
interrupt commands. However, this known programme is not 
always effective against some viruses, and completely 

5 ineffective against others. 

U.S. patent no. 5,144,660 (and its equivalent 
Australian patent application no- 40095/89) describes a 
method of securing a computer against undcsired write 
operations to, or read operations from, a hard disc of 

10 the computer in order to protect the computer against 
viruses. This method involves interposing logic 

circuitry between the disc controller and the read/write 
head(s) of the disc drive, decoding control signals 
between the controller and the disc drive and, in 

15 response to such decoding, controlling the write or read 
operations from the disc drive. 

However, the protection technique taught by 
U.S. patent no- 5,144,660 has several inherent 
disadvantages. First, since the logic circuitry is 

20 interposed between the controller and the hard disc, it 
is only possible to read or write protect whole cylinders 
on the disc. That is, it is not possible to 
differentiate between seotore within a particular 
cylinder on the disc For example, cylinder 0 head 0 

25 sector 1 of the disc normally contains a partition table 
and the rest of the sectors are -not used. The prior art 
system requires that all sectors on the cylinder be 
protected even though only one sector is required to be 
protected as a precaution against virus programmes. 

30 Further, cylinder 0 head 1 sector 1 is normally allocated 
to the master DOS boot record, while cylinder 0 head 1 

sector 2 is normally the file allocation table. Although 
it may b© desired to protect the master DOS boot record 
but not the file allocation table, the prior art method 
35 and apparatus does not permit such differentiation within 
a cylinder. 

Secondly, the prior art method and apparatus 
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are not suitable for computer systems in which the disc 
controller and the read/vrrlte head(s) are formed as a 
single unit. 

Thirdly, since separate cables are provided for 
5 control and data signals, the protection apparatus of 
U.S. patent no, 5,144,660 requires a counter to track the 
particular cylinder being addressed. 

Fourthly, the prior art protection apparatus 
cannot differentiate between signals sent by the CPU to 
10 the disc controller, e.g, between write commands and "low 
level" format commands. As the write protection device 
was positioned between the controller and the disc, it 
was impossible to tell whether the controller was writing 
data or doing a low level format command as both give the 
15 same signals leaving the controller. 

It is an ob j ect o f the present invention to 
provide JLmproved apparatus and method for preventing 
unwanted information, data or programmes, such as 
viruses, being written to a data storage device of a 
20 computer • 

SUMMARY OF THE INVENTION 
In one broad form, the present invention 
provides apparatus for preventing the unwanted writing of 
data to selected portion(s) of a memory device of a 
25 computer having a CPU and a controller for the memory 
device, the apparatus comprising a write protection 
device having 

memory, means containing the address(es) of 
selected portion(s) of the memory to which data 
30 is not intended to be written; 

decoding means for reading the address of any 
write command to the memory device; 
comparator means for comparing the write 
address with the address (es) of the selected 
35 portion(s) and 

disabling means responsive to the output of the 
comparator means for disabling the write 
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command, 

characterised in that the iwrite protection device is 
connected between the CPU and the controller. 

Preferably, the decoding means also detects low 
5 leva! format conunands and these are stopped In the same 
manner as write commands to protected sectors • 

In another form^ the present invention provides 
a method of preventing unwanted writing of data to 
selected portion(s) Of a memory device of a computer 
10 having a CPU and a controller for the memory device, 
comprising the steps of 

(a) selecting the portion(s) of the memory 
device to which data is not intended to be written and 
storing the addressCes) of the portion(s}, 
15 (b) reading the address of any write command 

from the CPU to the controller, 

(c) comparing the write address with the stored 
address(es) of the preselected portion(s), and 

{d) disabling those write commands having an 
20 address corresponding to the preselected portion(s), 

characterised in that steps (b)-(gl) are 
performed by a write protection device connected between 
the CPU and the controller. 

Preferably^ low level format commands are also 
25 detected and disabled. 

The term ''data'' is intended to include any 
information or program which may be stored in electronic 
or magnetic format in the memory device. 

Typically, the memory device is the hard disc 
30 of a computer, but may be any other sectored or 
addressable non-volatile memory device, such as a laser 
disc, floppy disc, RAM, etc. 

As the memory is write protected by hardware 
means, the security system cannot be overwritten or 
35 circumvented by software. 

By using hardware to physically prevent the 
writing of data to preselected . portions of the memory 
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device^ those portions of the memory device effectively 
beooine read-only-memory, permitting data to be read but 
not written thereto ► Since all data will be prevented 
from being written to the preselected portions of the 
5 storage device, viruses will be thwarted, regardless of 
their particular composition or mode of operation, as 
such viruses will not be able to become resident in the 
preselected portions of the memory device. 

A particular advantage of the present invention 

10 is that individual portions of the memory device 
corresponding to specific addresses can be protected 
separately. Thus, if the memory device is a hard disc, 
individual sectors in a particular cylinder can be 
protected. The logic circuitry detects any attempt to 

15 write a particular sector by decoding the write address 
and comparing it with stored addresses of sectors to be 
write protected. If an attempt is made to write to a 
•'protected" sector, the write command will be disabled, 
i.e, the write command will be prevented from reaching 

20 the controller or otherwise rendered ineffective. 
However, if an attempt is made to write to a sector which 
is not protected, the write command will be permitted to 
be executed even though that sector may be in the same 
cylinder as a protected sector. 

25 A virus programme normally is transferred to 

the boot sector of a hard disc of the computer, typically 
when the computer is switched on with a floppy disc 
(having the virus programme) inserted in a disc drive of 
the machine. In the preferred embodiment of this 

30 invention, the boot sector, and all the sectors in the 
partition area, are permanently write barred. That is, 

these, portions of the hard disc of the computer would 
normally always be selected to prevent the writing of any 
data or programme thereto, 
35 If other portions of the memory device are to 

be write barred, the addresses of these portions can be 
stored in a look-up table, e.g. in non-volatile memory. 
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The address of any write command can then be compared 
also with the addresses in the look-up table to ascertain 
whetiier the write command will be carried out. 

Since the write protection device of this 
5 invention is inserted between the CPU and the controller, 
it has the advantage of being able to selectively prevent 
other coaunands, such as low level format commands from 

being executed. 

In order that the invention may be more fully 
10 understood and put into practice, a preferred embodiment 
thereof will now be described with reference to the 
accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
Fig. 1 is a Circuit diagram illustrating the 
15 write protection circuit of an embodiment of this 
invention connected to a computer system; 

Fig. 2 is a circuit diagram, of part of the 
write protection circuit' of Fig. 1 for fixed memory 
portions ; and 

20 Fig. 3 is a circuit diagram of part of the 

write protection device of Fig. 1 for selectable memory 
portions . 

DESCRIPTIOK OF PREFERRED EMBODIMENT 
The write protection circuit of the Illustrated 
25 embodiment monitors all commands sent to the controller 
for the memory or storage device, typically a hard disc. 
These commands will move the read/write head or other 
mechanism to a particular portion of the storage device, 
e.g. to a particular sector of the hard disc. In 
30 paxticxilar, the write protection device detects write and 

foinal: commands. 

The write protection device tracJcs these sector 
commands and compares the write addresses with 
preselected addresses and/or addresses in a look-up table 
35 to determine whether a write command is permissible. If 
the write address corresponds to a preset sector or a 
sector Listed in the look-up table, the write protection 
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circuit disables the write command, e.g, by not 
permitting the command to reach the storage device* Low 
level format commands are also disabled. All read 
commands however, are unaffected. 
5 As illustrated in the drawings, particularly 

Fig. 1, the write protection device 10 can be mounted on 
a card and interconnected between the CPU and the 
controller of the hard disc (or other storage device) of 
a computer. Plug-in and/or piggy-back connections 

10 connected to the input and output of the card allow quick 
and simple installation in the computer. 

The write protection device taps into the 
memory data bus to monitor the commands from the CPU to 
the controller for the hard disc. These commands may 

15 Include read, write, format, recalibrate, verify, reset 
and identify commands. The recalibrate, write, format 
and reset commands are detected. A sector within the 
hard disc is selected by writing values to registers in 
the hard drive controller to select a particular 

20 read/ write head, a track or cylinder, and the required 
sector on that cylinder. 

As shown more specifically in Fig. 2, the 
commands on the data bus are tracked by an instruction 
decoder 11 which detects any write or low level format 

25 commands and provides the appropriate output. The 
commands are also fed to registers 12-15 which have been 
preset to detect preselected values. In the illustrated 
embodiment, these values correspond to all sectors in the 
partition area, and the boot sector, of the hard disc. 

30 (The partition area is cylinder 0, head 0 and all the 
sectors on that cylinder /head. The boot sector is 
cylinder 0, head 1, sector 1). 

If the sector of the command address fed to 
registers 12-15 corresponds to one of the preset sector 

35 addresses representing the partition area or boot sector, 
the output of AND gate 2 or AND gate 3 will be high, and 
hence the output of OR gate 4 will also be high . The 
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output of the OR gate 4 is ANDed with the WRITE command 
output from the instruction decoder 11 by AND gate 5. 

The output of AND gate 5 is inverted by 
inverter 9, and ANDed with the system write command by 
5 AND gate 6, the output (HDIOW) of which is fed to the 
device controller. Thus, if the command address 
corresponds to one of the preset addresses in latches 12- 
15, the vrrite command will be prevented from reaching the 
device controller. 

j^Q If the output of AND gate 5 goes high, an alarm 

8 is triggered by flip-flop 7 indicating that an attempt 
has been made to write to a protected area of^he disc. 
Once the alarm 8 has been triggered the output Q of flip- 
flop 7 is latched low and all write ccHranands are stopped 

15 by AND gate 6 regardless of their drive or sector. This 
acts as a fail safe to prevent further damage once the 
protected sectors are threatened. 

Jumper switch J2 is connected to the input of 
AND gate 5 to effectively short out the write protection 

20 mechanism, e.g. if it is desired to write to the 
protected areas. The Jumper switch J2 may suitably be 

key operated. 

If other sectors of the hard disc are to be 
write barred, the head/cylinder/sector addresses of such 

25 sectors can be stored in a look-up table in non-volatile 
memory, such as an EPROM, EBPROM, or static RAM with 
battery backup, connected to the OR gate 4 via jumper 
switch Jl. As illustrated in Fig. 3, a one Mbyte EEPROM 
160 is provided to store the locations of the sectors to 

30 be write protected. These sectors can be varied by 
reprogramming the EEPROM 160. 

Each command address is oompared with the 
addresses of the preselected sectors using suitable 
comparator means, such as a programmable logic array. 

35 The output of the comparison is fed via Jl to the input 
of OR gate 4. Thus, if the command address corresponds 
to either the partition area or boot sector or any other 
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preselected address listed in the look-up table 160, the 
output of AND gate 5 will be high and the output of AND 
gate 6 (to the controller) will be low, and hence the 
write command (lOW) from the CPU will be effectively 
5 prevented from reaching the device controller. 

Both the output of AND gate 5 and the FORMAT 
COMMAND output of decoder 11 are connected to OR gate 10, 
the output of which is connected to invert 9 and the 
alarm 8* In this manner, any low level format command to 

10 any physical drive connected to the controller will be 
prevented from reaching the hard disc controller, and 
will also trigger the alarm B. The write protection 
device of the illustrated embodiment can therefore 
protect against low level format commands while still 

15 allowing write commands. 

In summary, the write protection device of the 
illustrated embodiment monitors the read/write commands 
in parallel with the hard disc controller and will 
normally allow all cominands to reach the controller* 

20 However, when a write command is issued, and the 
read/write heads have been positioned to the restricted 
sectors, the write command will be prevented from 
reaching the controller, thereby preventing writing to 
the protected sectors • Low level format commands can 

25 also be blocked separately from write commands. 

A particular advantage of the write protection 
system is that as there is no overhead in time required 
to check the validity of the write command, there is no 
degradation in performance. 

30 As the write protection device is based wholly 

on hardwazre, it can be adapted to any software operating 
system. 

The foregoing describes only one embodiment of 
the invention, and modifications which are obvious to 
35 those skilled in the art may be made thereto without 
departing from the scope of the invention as defined in 
the , following claims. For example, although the write 
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protection device has been described with partioular 
reference to a hard disc, it can be used to protect any 
memory system based on a sector type format. 

The decoder 11 can also be modified to detect 
5 other selected connnands to be disabled. 
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CLAIMS: 

1. Apparatus for preventing the unwanted writing 

of data to selected portlon(s) of a memory device of a 
computer having a CPU and a controller for the memory 
5 device^ the apparatus comprising a write protection 
device having 

memory means containing the addre3s(es) of 

selected portion(s) of the memory to which data 

is not intended to be written; 
10 decoding means for reading the address of any 

write command to the memory device; 

comparator means for comparing the write 

address with the address{es) of the selected 

portion ( s ) and 

15 disabling means responsive to the output of the 

comparator means for disabling the write 
command ^ 

characterised in that the write protection device is 
connected between the CPU and the controller. 
20 2, Apparatus as claimed in claim 1^ wherein the 

memory device is a hard disc drive, 

3. Apparatus as claimed in claim 2, wherein the 

addresses of the partition area and the boot sector of 
the hard disc are preset in the memory means* 
25 4» Apparatus as claimed in claim 3^ wherein the 

memory means further comprises a look-up table and the 
addresses of further portions of the hard disc which are 
to be write protected are stored in the look-up table. 

5. Apparatus as claimed in claim 1 wherein the 
30 decoding means also detects any format command and 

provides an output to the disabling means to render the 
command ineffective. 

6. Apparatus as claimed in claim 1, wherein the 
write protection device further comprises alarm means 

35 responsive to the comparator means for signalling an 
atrtempt to write to a write protected portion of the 
memory device- 
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7. Apparatus as claimed In claim 6 wherein the 
alarm means is also triggered by the detection of a 
format command by the decoding means. 

8. Apparatus as claimed in claim 1, further 
5 comprising user-operated means for disabling the 

operatdLon of tha write protection device^ 

9. Apparatus as claimed in claim 1, wherein the 
disabling means includes logic switch means for 
preventing the write command from reaching the 

10 controller* 

10. A write protection circuit for use with a 
computer having a CPU, a memory, and controller means for 
the memory;, the write protection circuit comprising means 
for disabling write commands to the controller means 

15 which are addressed to preselected portions of the 
memory, characterised in that the write protection 
circuit is adapted to be connected between the CPU and 
the controller means, 

11. A write protection circuit as claimed in claim 
20 10, comprising decoding means for reading the address of 

any write command from the CPU to the controller of the 
memory; comparator means for comparing the write address 
with stored address (es) corresponding to portion(s) of 
the memory intended to be write protected; and disabling 
25 means responsive to the output of the comparator means 
for disabling write commands addressed to the stored 
address (es). 

12. A write protection circuit as claimed in claim 
10 fxirther comprising means for disabling format 

30 commands » 

13. A method of preventing unwanted writing of data 
to selected partion(s) of a memory device of a computer 
having a CPU and a controller for the memory device, 
comprising the steps of 

35 (a) selecting the portion{s) of the memory 

device to which data is not intended to be written and 
storing the address(es) of the portion(s). 
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(b) reading the address of any write command 
from the CPU to the controller, 

(c) comparing the write address with the stored 
addressees ) of the preselected portion(s)^ and 

5 (d) disabling those write commands having an 

address corresponding to the preselected portlon(B), 

characterised in that steps (b)-(d) are 
performed by a write protection device connected between 
the CPU and -the controller. 
10 14. A method as claimed in claim 13 further 

comprising the steps of detecting and disabling a format 
command to the controller. 



wo 93/09495 



PCT/AU92/00594 



1/3 



o 



a: 
< 



o 
o 

X 



< 



0<< ^LJ ui O 



^1 — AW- 



a CL 



— O 

at: 



wo M/09495 



PCr/AU92/00S94 



3/3 




INTERNATIONAL SEARCH REPORT 



Intemaiicnal application No. 
PCT/AU92y00594 



A. CLASSIFICATION OF SUBJECT MATTER 

IntCl^ G06F 11/30, 12714 

Accordbg to International Patent ClassificaDon (IPC) or to both national classification and IPC 



B. 



FIELDS SEARCHED 



Miniraum dactunentation searche^l (classification system followed by classificaLion symbols) 
IPC^G06F 11/30, 12/14 



Documcntalion searched other than minimum dooumentation to the extent that such documents arc included in the fields searched 
AU IPC as above 



Electronic data base consulted during the international search (name oT data base, and where practicable, search terms used) 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Y.P 



C!taUtm of documeatf with Indicntion, where appro printe, of ihe relevant passages 



Patent abstract of Japan, P-1313, page 37, JP,A, 3-259359 (FUJITSU LTD) 
19 November 1991 (19.11.91) 

Patent abstract of Japan. P-786, page 139, JP,A, 63-163943 (YAM ATAKE 
HONEYWELL CO LTD) 7 July 1988 (07.07.88) 

Patent abstract of Japan. P-1429, page 35, JP,A, 4-167038 (TOSHIBA CORP) 
15 June 1992 (15.06.92) 

Patent abstract of Japan. P-I236. page 9. JP.A. 3-110620 (TOSHIBA CORP) 
10 May 1991 (10.05.91) 



Relevant to Claim No. 



(1-14) 
(1-14) 
(1-14) 
(1-14) 



X i Further documenta arc listed 
in the concihuation of Bok C. 



X 



Sec patent family annex. 



* Special catBgoriea of cited documents : 




later document published after the international 
filing date or priority date and not in conflict 
with the application out cited to undergland the 
principle or theory underlying the invention 
document of particular rcfcvanec; the claimed 
invention cannot be considered novel or cannot be 
considered lo involve an inventive step when the 
document is taken alone 
document of particular relevance; the claimed 
invention cannot be considered to involve an 
inventive step when the document is combined 
with one or more other such documents, such 

combination bein^ obvious to a person akined in 
the art 

document member of the «nmc palcni family 


"A" document defining the acneral state of Ihe art which is 
not considered to oe orpaiticular relevance 

earlier docunrcnt but poblishcd on or after the "X" 

intcraational filing date , ' 
"L" document which may throw doubts on pnoriw claim(s) 

or which ts cited fo establish the publicatioT; catc of 
_ another cUaiion or other special reason (a* specified) "Y" 
"O" docuipent referring to en oral disclosure, use, 

exhibition or other means 
"P" dDcument published prior to ihe iDlentalional filing date 

*bm later tmn tho priority dale claimed 






Date of the actual completion of the intern atioTml search 
3 Fdjtuary 1993 (03.02.93) 


Date of maiilng of the iottmntional search rejjorl 

09 FEB 1993 (oq-ox-ctn) 


Name and mailine address of the ISA/AU 


Authorized officer 




AUSTTIALLW PATENT OFFICE 
PO BOX 200 
WODEN ACT 2606 
AUSTRAUA 


J.W. THOMSON 


fohvrv Jhorrtan/ 

i 


Facsimile No. 062853929 


Telephone No. (06) 2 


832214 



Form PCTASA/210 (continuation of first sheet (2)) (July 1992) copmeg 



INTERNATIONAL SEARCH REPORT 



IntematLonal application No. 
PCT/ATJ92/l)0594 



iK^ntiDuation). DOCUMENTS CONSIDERED TO BE RELEVANT 






Citation of document, wtb indicatton, where appropriate of the reieraot passafi« 




Y 


Patent abstract of Japan. P.964. Page 77, JP^. 1^213733 (FUJITSU LTD) 
28 August 1959(28.08^9) 


(1-14) 

■ J- 


A,P 


Patentabstiact of Japan. P.I309. Page 108. JP.A, 3-252838 (FUJITSU LTD) 
12 Novenfter 1991 (12.11.91) 




A 


Patent abstractoflapaa, P-504, page 112JP.A. 6M12236 (TOSHIBA CORP) 
30 May 1986 (30.05.86) 




Y 


AU.A. 40995/89 (ROSE) 8 MarcJr 1990 (OS.03.90) 


fl-14) 



Foim PCT/1SA/210 (Mntoiation of second ahcct)CJuly 1992) copmeg 



TT^fTERNATIONAL SEARCH RT^^ioRT 
InforaiatiDn oK patent family membf 



International application No. 
PCT/AU92/00594 



This Annex lists the known "A" publication level patent family members relating to the patent documents 
cited in the above-mentioned international search report. The Australian Patent Office is in no way liable 
for these particulars which are merely given for the purpose of information. 



Patent Document 

Cited in Search Patent Family Member 

Report 



AU 40995/89 GB 2222899 US 5144660 ZA 8907831 



END OF XmEX 



Form PCT/lSA/210(patcnt femily ftimex)(JuIy 1992) copmeg 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 

BEST AVAILABLE IMAGES 

^^^Z^ ^-"^'^ — Original 

Defects in the .mages include but are not limited to the items checked: 

13^LACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 
SfpADED TEXT OR DRAWING 

□Blurred OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: ■ ' 

IMAGES ARE BEST AVAILABLE COPY 

As rescanning these documents will not correct the image 

r?iwr P^^^^^ '''' ^^Port these problerfo 
the IFW Image Problem Mailbox. 



